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Claims 

What is claimed is: 

1 . A system of establishing a secure link among multiple users on a single 
machine with a remote machine, comprising: 

a subsystem to filter traffic so that traffic from each user is separate; 

wherein the subsystem generates and associates a Security Association (SA) 
with at least one filter corresponding to the user and the traffic and employs the SA to 
establish the secure link. 

■ : !f 2. The system of claim 1 being located on the single machine. 
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i& 3. The system of claim 1 being located on the remote machine. 
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s 4 4. The system of claim 1, wherein the subsystem further comprises an Internet 

L Key Exchange module and a policy module to generate and associate the security 

m 

association. 

?%_ 5. The system of claim 4, wherein the policy module is configured via Internet 

Protocol Security (IPSEC). 

6. The system of claim 5, wherein filters are provided from the policy module in 
order to filter traffic associated with the single machine and the remote machine. 

7. The system of claim 6, wherein the single machine filter is associated with a 
communications port on the single machine. 
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8. The system of claim 7, wherein the remote machine determines filters 
dynamically to communicate with the filters associated with the single machine. 

9. The system of claim 4, wherein the IKE module is adapted to provide User 
Mode negotiations in order to establish a secure link among the users. 

10. The system of claim 9, wherein the User Mode negotiations utilize keying 
material derived from Main Mode negotiations in order to provide the secure link 
among users. 

1 1 . The system of claim 1 0 5 wherein the User Mode enables a plurality of Quick 
Mode negotiations in order to provide the secure link among users. 

5. -J 

12 1 2. The system of claim 1 1 , wherein the User Mode negotiation further comprises 

J y an initiator packet including at least one of a user identification initiator, a security 

Si association attribute, a nonce initiator, a proxy source, and a proxy destination. 

l& 

1 U 13. The system of claim 1 2, wherein the initiator packet further comprises a user 

I'U 

O identification responder. 

P 
y 

14. The system of claim 11, wherein the User Mode negotiation further comprises 
a responder packet including at least one of a user identification responder, a security 
association attribute, and a nonce responder. 

1 5. The system of claim 1 1 , wherein the User Mode enables a plurality of 
authentication packets to be sent to authenticate among users. 
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16. A system of establishing a secure link between a first machine and multiple 
services on a second machine, comprising: 

a subsystem to filter traffic so that traffic from each service is separate; 

wherein the subsystem generates and associates a Security Association (SA) 
with at least one filter corresponding to the user and the service and employs the SA 
to establish the secure link. 

17. The system of claim 16, wherein the subsystem further comprises an Internet 
Key Exchange module and a policy module to generate and associate the security 
association. 

18. The system of claim 1 7, wherein the policy module is configured via Internet 
Protocol Security (IPSEC). 

19. The system of claim 1 8, wherein filters are provided from the policy module 
in order to filter traffic associated with the first machine and the second machine. 

20. The system of claim 19, wherein the first machine filter is associated with a 
communications port on the first machine. 

21 . The system of claim 20, wherein the second machine determines filters 
dynamically to communicate with the filters associated with the first machine. 

22. The system of claim 4, wherein the IKE module is adapted to provide User 
Mode negotiations in order to establish a secure link between the services. 

23. The system of claim 22, wherein the User Mode negotiation further comprises 
an initiator packet including at least one of a user identification initiator, a security 
association attribute, a nonce initiator, a proxy source, and a proxy destination. 
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24. The system of claim 23, wherein multiple services are authenticated on the 
second machine by utilizing a policy look-up associated with service information 
relating to the initiator packet. 

25. The system of claim 24, wherein if a multiple service authentication fails, the 
second machine initiates a User Mode negotiation. 

26. A method of establishing a secure link among multiple users on a single 
machine with a remote machine, comprising the steps of: 

filtering traffic so that traffic from each user is separate; 

negotiating and authenticating a Security Association (SA) with at least one 
™S filter corresponding to the user and the traffic; and 

" ; ^ employing the S A to establish the secure link. 

j ^ 27. A method of establishing a secure link between a first machine and multiple 

J services on a second machine, comprising the steps of: 

i& filtering traffic so that traffic from each service is separate; 

jif! negotiating and authenticating a Security Association (SA) with at least one 

O filter corresponding to the services and the traffic; and 

CD 

Q employing the SA to establish the secure link. 

28. A system for establishing a secure link among multiple users on a single 
machine with a remote machine, comprising: 

means for filtering traffic so that traffic from each user is separate; 

means for negotiating and authenticating a Security Association (SA) with at 
least one filter corresponding to the user and the traffic; and 

means for employing the SA to establish the secure link. 
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29. A system of establishing a secure link between a first machine and multiple 
services on a second machine, comprising: 

means for filtering traffic so that traffic from each service is separate; 
means for negotiating and authenticating a Security Association (S A) with at 
least one filter corresponding to the services and the traffic; and 
means for employing the SA to establish the secure link. 

30. A computer readable medium having stored thereon computer executable 
components, comprising: 

a component to filter traffic between a first machine, having multiple users, 
and a second machine so that traffic for the first machine is separated in accordance 
with the respective users; and 

a component to generate and associate a Security Association (SA) with at 
least one filter, corresponding to at least one of the users and the respective traffic, 
and employs the SA to establish a secure link between the first and second machines. 

31. A data packet adapted to be transmitted between at least two processes, 
comprising: 

a first component to filter traffic between a first process, associated with 
multiple users, and a second process so that traffic for the first process is separated in 
accordance with the respective users; and 

a second component to generate and associate a Security Association (SA) 
with at least one filter, corresponding to at least one of the users and the respective 
traffic, and employs the SA to establish a secure link between the first and second 
processes. 



30 



• ♦ 



32. A computer readable medium having stored thereon computer executable 
components, comprising: 

a component to filter traffic between a first machine, having multiple services, 
and a second machine so that traffic for the first machine is separated in accordance 
with the respective services; and 

a component to generate and associate a Security Association (SA) with at 
least one filter, corresponding to at least one of the services and the respective traffic, 
and employs the SA to establish a secure link between the first and second machines. 

33. A data packet adapted to be transmitted between at least two processes, 
comprising: 

a first component to filter traffic between a first process, associated with 
multiple services, and a second process so that traffic for the first process is separated 
in accordance with the respective services; and 

a second component to generate and associate a Security Association (SA) 
with at least one filter, corresponding to at least one of the services and the respective 
traffic, and employs the SA to establish a secure link between the first and second 
processes. 

34. The data packet of claim 33, wherein at least one of the processes is executed by 
a distributed processing system. 
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